MSCHAPv2, MySQL, Freeradius

Dan Russell dan at in-house.com.au
Tue Oct 4 07:37:28 CEST 2005 

> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-
> users-bounces at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Tuesday, 4 October 2005 3:17 PM
> To: FreeRadius users mailing list
> Subject: Re: MSCHAPv2, MySQL, Freeradius
> 
> "Dan Russell" <dan at in-house.com.au> wrote:
> > >   Because you put it into the NT-Password attribute, instead of
the
> > > User-Password attribute.
> >
> > Okay, I've tried that and not found it to work for me.
> 
>   Sorry, it *does* work.  Since you didn't provide any debug logs or
> config examples, I can only suggest that you probably did it wrong.
> 

Hey, I'm not having a go at you, I believe it does work, I'm just having
issue getting it working..

Here is the log of someone attempting to log in :

rad_recv: Access-Request packet from host x.x.x.x:32775, id=33,
length=177
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 422
        NAS-Port-Type = Ethernet
        User-Name = "wolfer"
        Calling-Station-Id = "00:50:FC:68:E6:32"
        NAS-Port-Id = "ether2"
        MS-CHAP-Challenge = 0x700b1e514cb6628c25441cb76ce17109
        MS-CHAP2-Response =
0x010051c12db8db344c7c72d03bda36fd556d000000000000000076fb28d715a538d4ae
05b012cd5edb6e86ee71d8f6d6bbc0
        NAS-Identifier = "NAS"
        NAS-IP-Address = x.x.x.x
Tue Oct  4 15:10:39 2005 : Debug:   Processing the authorize section of
radiusd.conf
Tue Oct  4 15:10:39 2005 : Debug: modcall: entering group authorize for
request 5
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modcall[authorize]: module
"preprocess" returns ok for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: calling chap
(rlm_chap) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: returned from
chap (rlm_chap) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modcall[authorize]: module "chap"
returns noop for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: calling sql
(rlm_sql) for request 5
Tue Oct  4 15:10:39 2005 : Debug: radius_xlat:  'wolfer'
Tue Oct  4 15:10:39 2005 : Debug: rlm_sql (sql): sql_set_user escaped
user --> 'wolfer'
Tue Oct  4 15:10:39 2005 : Debug: radius_xlat:  'SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'wolfer'
ORDER BY id'
Tue Oct  4 15:10:39 2005 : Debug: rlm_sql (sql): Reserving sql socket
id: 4
Tue Oct  4 15:10:39 2005 : Debug: radius_xlat:  'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou
pcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE
usergroup.Username = 'wolfer' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
Tue Oct  4 15:10:39 2005 : Debug: radius_xlat:  'SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'wolfer'
ORDER BY id'
Tue Oct  4 15:10:39 2005 : Debug: radius_xlat:  'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou
preply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE
usergroup.Username = 'wolfer' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
Tue Oct  4 15:10:39 2005 : Info: rlm_sql (sql): No matching entry in the
database for request from user [wolfer]
Tue Oct  4 15:10:39 2005 : Debug: rlm_sql (sql): Released sql socket id:
4
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: returned from
sql (rlm_sql) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modcall[authorize]: module "sql"
returns notfound for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: calling mschap
(rlm_mschap) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   rlm_mschap: Found MS-CHAP
attributes.  Setting 'Auth-Type  = MS-CHAP'
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authorize]: returned from
mschap (rlm_mschap) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modcall[authorize]: module "mschap"
returns ok for request 5
Tue Oct  4 15:10:39 2005 : Debug: modcall: group authorize returns ok
for request 5
Tue Oct  4 15:10:39 2005 : Debug:   rad_check_password:  Found Auth-Type
MS-CHAP
Tue Oct  4 15:10:39 2005 : Debug: auth: type "MS-CHAP"
Tue Oct  4 15:10:39 2005 : Debug:   Processing the authenticate section
of radiusd.conf
Tue Oct  4 15:10:39 2005 : Debug: modcall: entering group Auth-Type for
request 5
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authenticate]: calling
mschap (rlm_mschap) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   rlm_mschap: No User-Password
configured.  Cannot create LM-Password.
Tue Oct  4 15:10:39 2005 : Debug:   rlm_mschap: No User-Password
configured.  Cannot create NT-Password.
Tue Oct  4 15:10:39 2005 : Debug:   rlm_mschap: Told to do MS-CHAPv2 for
wolfer with NT-Password
Tue Oct  4 15:10:39 2005 : Debug:   rlm_mschap: FAILED: No
NT/LM-Password.  Cannot perform authentication.
Tue Oct  4 15:10:39 2005 : Debug:   rlm_mschap: FAILED:
MS-CHAP2-Response is incorrect
Tue Oct  4 15:10:39 2005 : Debug:   modsingle[authenticate]: returned
from mschap (rlm_mschap) for request 5
Tue Oct  4 15:10:39 2005 : Debug:   modcall[authenticate]: module
"mschap" returns reject for request 5
Tue Oct  4 15:10:39 2005 : Debug: modcall: group Auth-Type returns
reject for request 5
Tue Oct  4 15:10:39 2005 : Debug: auth: Failed to validate the user.
Tue Oct  4 15:10:39 2005 : Auth: Login incorrect: [wolfer/<no
User-Password attribute>] (from client build port 422 cli
00:50:FC:68:E6:32)
Tue Oct  4 15:10:39 2005 : Debug: Delaying request 5 for 1 seconds
Tue Oct  4 15:10:39 2005 : Debug: Finished request 5
Tue Oct  4 15:10:39 2005 : Debug: Going to the next request
Tue Oct  4 15:10:39 2005 : Debug: --- Walking the entire request list
---
Tue Oct  4 15:10:39 2005 : Debug: Waking up in 1 seconds...
Tue Oct  4 15:10:40 2005 : Debug: --- Walking the entire request list
---
Tue Oct  4 15:10:40 2005 : Debug: Waking up in 1 seconds...
rad_recv: Access-Request packet from host x.x.x.x:32775, id=33,
length=177
Sending Access-Reject of id 33 to x.x.x.x:32775


Here is a snippet of the radcheck table :

ID	UserName	Attribute		op	Value
25	wolfer	SMB-Account-CTRL	==	16
27	wolfer	NT-Password		==
0x47C8F8E50C470E37AAD3B435B51404EE

Any help?

Thanks for any help in advance,

Daniel Russell

> > It tries to get the 'User-Password' attribute first (which it fails
on,
> > I don't have one), then it tried to get the 'LM-Password' attribute
> > which it also fails on.  After dealing with that it tries the same
thing
> > with 'NT-Password'.  For some reason it isn't pulling these
attributes
> > out of mysql..
> 
>   Read the debug log.  It will tell you what it *is* getting from
MySQL.
> 
> > After looking at the debug output from freeradius, the sql statement
> > that it executes when it receives an authentication request should
> > return the LM-Password and NT-Password.
> 
>   Does it return those attributes when you run the query by hand?
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list